When the login user interface is displayed and the user has
entered her credentials and clicked the "Log In" button, we need to
send the credentials to the server to determine whether they are valid. If they
are, then we need to sign the user into the site. How you validate a user's
credentials and how you sign them into the site depends on what techniques you
are using to support user accounts. For most ASP.NET sites, developers use forms
authentication and Membership.
With forms authentication, an authenticated user is
identified by means of an authentication ticket,
which is typically stored as a cookie on the user's browser. This
authentication ticket is created when the user signs into the site; on
subsequent visits, the browser includes the ticket in its request to the
website, which is what allows the website to identify the visitor.
Membership is an API in the .NET Framework for managing user
accounts. The Membership API uses the provider model
and can be used to store credentials in a SQL Server database or Active
Directory, among other user stores. The Membership
class in the .NET Framework includes a ValidateUser
method that accepts a username and password as input parameters and returns a
Boolean value indicating whether the supplied credentials were valid.
Regardless of how you support user accounts, for the login
overlay to work we need to be able to send the username and password entered by
the user to the server to have those credentials validated and the user signed
in. One option is to write your own server-side service, which you could do
using an ASP.NET page, ASP.NET MVC actions, a generic HTTP Handler, or as an
ASMX or WCF service. See my article, Accessing
Server-Side Data from Client Script for more information on this topic.
Another option is to take advantage of ASP.NET's AuthenticationService feature, which was added to ASP.NET
3.5. The AuthenticationService feature offers
client-side scripts and a server-side service for accessing the forms
authentication and Membership systems. To use this functionality you must first
enable it. Listing 6 shows the configuration to add to Web.config
to turn on the AuthenticationService feature.
Listing 6 - Enable the AuthenticationService
functionality for your website.
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" />
</webServices>
</scripting>
</system.web.extensions>
</configuration>
The server-side AuthenticationService
service offers three methods: IsLoggedIn, Login, and Logout.
·
The IsLoggedIn method returns the value
of the Request.IsAuthenticated property, which is a
Boolean value that indicates whether the request is from an authenticated user.
·
The Login method accepts three input
parameters: the username, password, and whether to create a persistent cookie.
This method calls the Membership.ValidateUser method,
passing in the supplied username and password. If the credentials are valid
then the FormsAuthentication.SetAuthCookie method is
called, which creates the forms authentication ticket and stores it in the
browser's cookies collection.
·
The Logout method calls the FormsAuthentication.SignOut method, which instructs the
browser to remove its authentication ticket cookie, effectively logging the
user out of the site.
When enabled, the server-side AuthenticationService
service is exposed via the URL Authentication_JSON_AppService.axd.
That is, you can invoke the IsLoggedIn, Login, and Logout server-side methods
from client script by making a properly-formatted HTTP request to www.example.com/Authentication_JSON_AppService.axd.
While you can certainly write your own JavaScript to accomplish this, there are
existing client-side functions in the ASP.NET Ajax Library to facilitate communicating
with the server-side AuthenticationService service.
To use the ASP.NET Ajax Library to interface with the AuthenticationService service in ASP.NET MVC applications you
need to include the MicrosoftAjax.js and MicrosoftAjaxApplicationServices.js script files, which you
can download (or link to) from http://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjax.js
and http://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjaxApplicationServices.js.
You also need to explicitly set the Sys.Services._AuthenticationService.DefaultWebServicePath
property to the URL of the server-side AuthenticationService
service, Authentication_JSON_AppService.axd. (See line
13 in the ~/Views/Shared/_Layout.cshtml file.)
To the ASP.NET Ajax Library to interface with the AuthenticationService service in ASP.NET WebForms
applications, simply add a ScriptManager control to your master page. The
ScriptManager automatically includes the necessary script files and assigns the
Sys.Services._AuthenticationService.DefaultWebServicePath
property for you. (Alternatively, you could bypass adding a ScriptManager
control and manually add the necessary script files and script code like with
an ASP.NET MVC application.)